SB2023073104 - Multiple vulnerabilities in Discourse
Published: July 31, 2023 Updated: December 17, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Race condition (CVE-ID: CVE-2023-37904)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a race condition in Accept Invite. A remote user can exploit the race and create more users than permitted from invite links.
2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-38684)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to unbounded limits in various controller actions. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
3) Reusing a Nonce, Key Pair in Encryption (CVE-ID: CVE-2023-37467)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the CSP (Content Security Policy) nonce reuse issue. A remote user can bypass CSP protection.
4) Resource exhaustion (CVE-ID: CVE-2023-38498)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the defer queue. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.
5) Input validation error (CVE-ID: CVE-2023-37906)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the post edit reason. A remote user can edit a post in a topic and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/discourse/discourse/commit/62a609ea2d0645a27ee8adbb01ce10a5e03a600b
- https://github.com/discourse/discourse/security/advisories/GHSA-6wj5-4ph2-c7qg
- https://github.com/discourse/discourse/security/advisories/GHSA-ff7g-xv79-hgmf
- https://github.com/discourse/discourse/commit/bfc3132bb22bd5b7e86f428746b89c4d3d7f5a70
- https://github.com/discourse/discourse/commit/0976c8fad6970b6182e7837bf87de07709407f25
- https://github.com/discourse/discourse/security/advisories/GHSA-gr5h-hm62-jr3j
- https://github.com/discourse/discourse/commit/26e267478d785e2f32ee7da4613e2cf4a65ff182
- https://github.com/discourse/discourse/security/advisories/GHSA-wv29-rm3f-4g2j
- https://github.com/discourse/discourse/security/advisories/GHSA-pjv6-47x6-mx7c
- https://github.com/discourse/discourse/commit/dcc825bda505a344eda403a1b8733f30e784034a